Malware that disables PCs and demands hefty cash payments has come a long way.

Malware that disables computers and demands that hefty cash payments be paid to purported law-enforcement agencies before the machines are restored is extorting as much as $5 million from end-user victims, researchers said.

The estimate, contained in a report published on Thursday by researchers from antivirus provider Symantec, is being fueled by the mushrooming growth of so-called ransomware. Once infected, computers become unusable and often display logos of local law-enforcement agencies, along with warnings that the user has violated statutes involving child pornography or other serious offenses. The warnings then offer to unlock the computers if users pay a fine as high as $200 within 72 hours.

"A lot of individuals do pay up, either because they believe the messages or because they realize it is a scam but still want to restore access to their computer," Symantec's 16-page report explained. "Unfortunately, even if a person does pay up, the fraudsters often do not restore functionality. The only reliable way to restore functionality is to remove the malware."

The report identified at least 16 different ransomware versions spawned by competing malware gangs. Many are completely different families of malware, rather than multiple variants of the same family, and most have their own unique behavior. Many use freely available geographic location services to determine where each infected computer is and based on that information display law-enforcement logos and ransom demands that are local to that user. Demands frequently carry threats of arrest if victims don't pay promptly, usually by using electronic payment systems to purchase an unlock code.

The Symantec researchers penetrated the command-and-control server of one ransomware scam. Over a period of about a month, between September to October, 68,000 unique IP addresses connected. During a single day during that time, there were 5,700 connections, and of those 168 entered what appeared to be valid unlock codes. Assuming 2.9 percent of the overall 68,000 infections paid the $200 fee, that would have net more than $394,000, although the scammers would have lost a percentage of that as they attempted to launder the money. The Symantec report doesn't explain precisely how the overall $5 million estimate was reached. Presumably, it is the result of factoring in the remaining ransomware operations.

The organization and proliferation of the scam has come a long way since the early days of ransomware several years ago. Back then, similar malware scams were limited mostly to Russia and Eastern Europe and often contained warnings in Russian that purported to be activation screens from Microsoft. Over time, the warnings began to make claims that users were in violation of local pornography laws and migrated west, to Germany, the UK, and Austria. More recently, the US and Canada have also been increasingly hit by the campaigns.

In some cases, the gangs operating the scams are also responsible for highly profitable operations that use malware to carry out bank fraud, indicating just how far ransomware has come.

"The individuals responsible for it are clearly professional criminals, and for them to have expanded into the distribution of ransomware is a sign of the profitability behind the scam," the researchers wrote.

While I hate this stuff, I grudgingly admit that it keeps me, at least in part, employed. I see this stuff a lot, along with scareware and the whole suite of scams. And when the helpdesk can't get it straightened out and I have to jump in the trenches, I find it kinda fun playing computer-fu trying to break these programs loose. The ones that lock services down, launch processes, constantly rewrite registry settings, and block internet access at the same time are particularly nasty. Those fights are sometimes fun.

Pro Tip (well, maybe not given the site): In a pinch you can use MS Calculator to get out to the net if all browsers are locked down. Amazes the users every time. Move! - Nick Burns

Man those malware cats are getting clever. I like the one that enables your webcam and says something like "We are taking pictures of you for identifying purposes" or whatever. I've found that these ones are a bit easier to remove than some of that anti-virus malware crap that locks down your browser, just a boot into safe mode and a scan will get it.

Man those malware cats are getting clever. I like the one that enables your webcam and says something like "We are taking pictures of you for identifying purposes" or whatever. I've found that these ones are a bit easier to remove than some of that anti-virus malware crap that locks down your browser, just a boot into safe mode and a scan will get it.

True, but then there are the bastards that actually encrypt your hard drive and don't give you the key without, as they say in Mexico, una propina. If you haven't backed up your stuff (and you care about it), you don't have much choice but to pay, do you?

I've seen several business servers in town over the last few weeks get attacked by a ransomware scheme that encrypted all common document types in aes256 and demanded $2000 to unlock. While none of the businesses I know paid, it's kind of scary and highlights the importance of a good backup setup without any half-assing. In one case, they had backups that were done offsite over a vpn, which were wiped by the hackers. Before with malicious attacks, it was uncommon to target small businesses because there was little-to-no gain in doing so, but this trend is making it a lot more likely that you'll be targeted.

I have fixed lots of these, some even activate the webcam and show the video feed on the ransom page. I haven't investigated if webcam data is actually being transmitted to a C&C, but it does a good job scaring people.

On top of that, lots of people get these going to porn sites or via illegal downloads, and are scared or embarrassed to actually seek expert help when it happens, so they think paying might just make it go away without having to bring it to a stranger and tell them you were on your favorite BBW site and got the malware smackdown.

I do get a couple of honest guys who will tell me exactly what was going on when it happened.

Man those malware cats are getting clever. I like the one that enables your webcam and says something like "We are taking pictures of you for identifying purposes" or whatever. I've found that these ones are a bit easier to remove than some of that anti-virus malware crap that locks down your browser, just a boot into safe mode and a scan will get it.

True, but then there are the bastards that actually encrypt your hard drive and don't give you the key without, as they say in Mexico, una propina. If you haven't backed up your stuff (and you care about it), you don't have much choice but to pay, do you?

Pro Tip (well, maybe not given the site): In a pinch you can use MS Calculator to get out to the net if all browsers are locked down. Amazes the users every time. Move! - Nick Burns

I know the trick to use Calc to convert the IP to binary, then to decimal to get around blocked sites at the newtork level, which is maybe what you're talking about -- but do mean you can use it when malware is instantly killing iexplore.exe, firefox.exe, etc?

edit: Oh, indeed you can. Using the html help viewer you can jump to other urls using the upper left title-bar menu.

The only real long term plan is education in computer usage, how the U.S. government actually works, and how to avoid general fraud.

(HINT: The U.S. gov. generally isn't going lock your computer and have you send money to a random website. If they really wanted your money they would just do an electric transfer or take you to court.)

Scareware is a great business model with the itty bitty problem that it is illegal in the U.S.

You do still wonder about some of the formatting of these things. For example, I can't imagine the FBI ever putting exclamation marks at the end of sentences: OMG you were found looking at kiddeh pr0n!

Also, who really thinks that they can get out of these kind of allegations for $200? or any amount of money?

Although I do feel sorry for the people that fall victim to these kind of attacks the level of panic, or likely guilt at having done some of those things, that kicks in must be huge to over-ride ones common sense.

craigc wrote:

True, but then there are the bastards that actually encrypt your hard drive and don't give you the key without, as they say in Mexico, una propina. If you haven't backed up your stuff (and you care about it), you don't have much choice but to pay, do you?

I recently had to clean these law enforcement agency scams (I'm in Canada, so they appeared as coming from RCMP) and they're not that hard to remove as they don't delete the System Restore restore points and once in Safe Mode you just restore to a date prior to infection.

What they do which is harder to fix is they disable the firewall and break Security Center (at least on XP). Once infection is removed these still need to be fixed.

You do still wonder about some of the formatting of these things. For example, I can't imagine the FBI ever putting exclamation marks at the end of sentences: OMG you were found looking at kiddeh pr0n!

Totally mis-read that the first time... my brain replaces "kiddeh" with "kitty"...

This is why I maintain two things. The first: an external hard drive with any documents/program installers I might need to keep (soft-copy tax returns, important photos, anti-virus [avast], CCleaner, Defraggler, etc.). The second: my Windows installation discs. My computer gets hit with a nasty bug, I just re-install Windows.

[WARNING: OFF-TOPIC] That is why I dislike the recent shift towards all-digital programs. Often, the product key will only work once and when used, the installation program often becomes unuseable.

I recently had to clean these law enforcement agency scams (I'm in Canada, so they appeared as coming from RCMP) and they're not that hard to remove as they don't delete the System Restore restore points and once in Safe Mode you just restore to a date prior to infection.

What they do which is harder to fix is they disable the firewall and break Security Center (at least on XP). Once infection is removed these still need to be fixed.

reboot between each fix... hopefully I helped a few persons here, had to spend hours before I found these informations.

Also, if Windows Safe Mode don't start like it happened on one of the machines I fixed, you can always clean booting from a rescue CD like AVG Rescue disk.

That's good info, but some of these monsters do quite a bit more than that. How much more - what else have they broken? Good luck making sure you've found it all and truly cleaned it all up. I recently managed to get a neighbor's system, which was infected with one of the "FBI" flavors, more-or-less restored with safe mode, Malware Bytes, advice like the above based on searches, and using selected registry keys exported from a clean system. (Danger, Will Robinson! Danger! You don't really want to go there, but we'd been at it for hours, and the clean system was right next door, at my house!) Did he have a backup? Sure! Of course! Seven months old. System restore failed, using restore points created days and weeks prior to the infection.

I made him copy all of his documents and whatnot to his external drive and told him that he'd have to wipe it and reinstall Windows to be sure; the nuke from high orbit option. I hate doing that but feel that it really is the one-and-only, sure-fire, can't miss option. Otherwise, the system may never actually be fully cleaned, no matter what The Cleaner says. These infections are that bad.

TL;DR: backups, backups, backups. Also, throw in some backups. Make sure that you have OS restore media of some sort. (Don't rely entirely on an OEM's restore partition. Make your own optical discs, if you don't have Microsoft-provided media.) I feel extra sorry for those who have no restore media or restore options at all.

Pro Tip (well, maybe not given the site): In a pinch you can use MS Calculator to get out to the net if all browsers are locked down. Amazes the users every time. Move! - Nick Burns

I know the trick to use Calc to convert the IP to binary, then to decimal to get around blocked sites at the newtork level, which is maybe what you're talking about -- but do mean you can use it when malware is instantly killing iexplore.exe, firefox.exe, etc?

edit: Oh, indeed you can. Using the html help viewer you can jump to other urls using the upper left title-bar menu.

Does that also work with Windows 7? I couldn't find the option from the help window.

I did find out that you can Start->Run->"hh <url>" and browse through the help viewer. Never knew that was possible.

I got a few friends hit by drive-by with these kinds of stuff because of the Java vulnerabilities that were all the rage a few months ago. Unfortunately, they were in Portuguese and had not entered the AV databases yet. One I could erase manually, the other I had to resort to a restore point.

By the way the calc help trick doesn't work on Win7. Who's still using XP, really?

[sigh... raises hand] Me. And everyone of the several thousand users where I work. Win 7 would be nice but unless you've worked under an ISO certification in an engineering environment where everything [EVERYTHING] had to be certified and V&V'd under a new OS, you might not know how big an endeavor that is. We will be transitioning shortly, but currently it's XP all the way. It's like trying to steer the titanic in very large enterprises as far as IT is concerned.

By the way the calc help trick doesn't work on Win7. Who's still using XP, really?

[sigh... raises hand] Me. And everyone of the several thousand users where I work. Win 7 would be nice but unless you've worked under an ISO certification in an engineering environment where everything [EVERYTHING] had to be certified and V&V'd under a new OS, you might not know how big an endeavor that is. We will be transitioning shortly, but currently it's XP all the way. It's like trying to steer the titanic in very large enterprises as far as IT is concerned.

I'm aware that OS change is problematic in the enterprise, but I assumed this sort of malware attacks home users primarily. If people can't wait to get home to see the new chicken video, they need to get their heads examined.

By the way the calc help trick doesn't work on Win7. Who's still using XP, really?

On the other hand, start->run-> hh http://<website> will work on windows 7. won't impress as much as calc though. XP is not going away quickly, as recently as this year (2012) I saw NT 4.0 machines using modems for bank data transfers. XP still has it's place in business supporting crappy applications... why do you think you get XP mode with your now old Win7?

My toolset for virus includes sysinternals tools autoruns and procexp/procmon ... and a crowbar for the knuckles of any of them I meet in person.

By the way the calc help trick doesn't work on Win7. Who's still using XP, really?

On the other hand, start->run-> hh http://<website> will work on windows 7. won't impress as much as calc though. XP is not going away quickly, as recently as this year (2012) I saw NT 4.0 machines using modems for bank data transfers. XP still has it's place in business supporting crappy applications... why do you think you get XP mode with your now old Win7?

My toolset for virus includes sysinternals tools autoruns and procexp/procmon ... and a crowbar for the knuckles of any of them I meet in person.

My toolset is a computer running linux, screw drivers, an empty USB drive enclosure, windows reinstall disks, and sarcastic remarks that if they'd done backups I could easily restore it with all their apps intact. Just making it known that, while I'll try to recover their data, they'll otherwise be starting over with a clean OS install is generally sufficient to get people to go credit card in hand to worstbuy instead and leave me alone.

By the way the calc help trick doesn't work on Win7. Who's still using XP, really?

[sigh... raises hand] Me. And everyone of the several thousand users where I work. Win 7 would be nice but unless you've worked under an ISO certification in an engineering environment where everything [EVERYTHING] had to be certified and V&V'd under a new OS, you might not know how big an endeavor that is. We will be transitioning shortly, but currently it's XP all the way. It's like trying to steer the titanic in very large enterprises as far as IT is concerned.

I'm aware that OS change is problematic in the enterprise, but I assumed this sort of malware attacks home users primarily. If people can't wait to get home to see the new chicken video, they need to get their heads examined.

I'm fairly certain you're right about mostly home users, but it crops up at work from time to time as well. That said, we also don't filter websites and our internet policy is infrequent use for personal use (breaks, lunch, etc) is OK as long as it doesn't interfere with work. Read that as: "It's not my concern if Bobby is on facebook for four hours, it's your job as a manager to enforce your policies, not mine. He works for you, not me". It's kinda the 'We are all adults here" mindset. Therefore people will open personal emails at work, and more often I suspect since we have a lot of foreign engineers (nothing wrong with that) some of the sites they might visit at home might not have as tight security controls as other more developed countries when it comes to thoses sites security.

But in the end it's never the users fault. They weren't doing anything internet releated when their computer got infected.

This is especially fun now that Windows 8 makes it harder to boot into safe mode to bypass it.

As far as I know the easiest way to get Win 8 into safe mode.1. go to desktop2. Press the "windows" key and "R"3. type msconfig4. choose the boot tab5. check the safe boot check box and choose minimal6. click Ok and you will be prompted to restart

I havent seen the law enforcement one, but I have seen the one pretending to be a fake anti-viral software that detects a problem and wont let you browse.

It usually results im my googling on my ipad how to remove it with only semi-clear instructions.

I wouldn't even bother. The best policy when dealing with virus infected machines is to wipe completely and reinstall everything. It doesn't exactly take that long to do (not compared to figuring out how to manually remove all traces of the malware, anyway), and you're guaranteed that everything's completely clean.

By the way the calc help trick doesn't work on Win7. Who's still using XP, really?

Too funny. If there are Baptists around, it might be.

I like my XP SP3 tyvm. And when I say SP3, there's not a single update. Fresh off the disk. Install Avast and disable a million services. Follow that with Chrome, Google Earth, VLC, Warcraft, and obviously; Tac-Ops.

This is especially fun now that Windows 8 makes it harder to boot into safe mode to bypass it.

As far as I know the easiest way to get Win 8 into safe mode.1. go to desktop2. Press the "windows" key and "R"3. type msconfig4. choose the boot tab5. check the safe boot check box and choose minimal6. click Ok and you will be prompted to restart

do the same in reverse to get back to "regular" mode

The one that I did battle with somehow disabled WK + R. (In fact, WK + anything). Safe mode was, however, possible from cold boot, when I managed to catch the 33 millisecond function key window.

For fun (?), here's everything that the one that I encountered did on the infected, Windows 7 system. In spoiler tags for TL/DR. I imagine most readers are familiar with these things anyway, and probably have longer or more detailed lists, depending on the variant. And better fixes. And I'm sure I didn't catch it all.

Spoiler: show

After safe mode boot and running Malware Bytes, which "removed" the threat, here's what we found.1. It disabled McAfee. (YAY! I wanted to nuke that anyway, as step 1.5, but the owner of the system objected.) McAfee security settings for A-V and firewall would not work - or would appear to work but revert after reboot. Many previously available settings were greyed out. McAfee was thoroughly hosed, on virtually all fronts. Could not get updates, claiming the server to be unavailable. (Yes, we had an Internet connection - possibly a DNS thing.) McAfee was nagging us!2. It disabled the Windows firewall (probably already disabled by McAfee, but ...)3. It disabled Security Center4. It disabled the Windows Key + (any other key) functions. Only the start menu was available.5. It disabled msconfig (deleted executable? horked registry key? no idea, don't care.)6. It disabled Windows Updates7. It deleted at least a dozen registry keys, some associated with the above. Impossible for me to know how many others, or how many it left in place with altered values. I only "fixed" the more critical ones, one way or another, just to get the guy in a position to manually back up his personal files and eventually wipe and rebuild.8. It killed a kitten.9. It trolled a Dan Goodin article comments thread.A. After finally uninstalling McAfee, in spite of the guy's protests, things got MUCH better and he could sorta use the system. He later told me that MSE would not install for some reason - no details.B. The guy later hinted at other problems. I told him to get the hell over it and wipe and rebuild, or to leave me alone. I'm not up for this shit.C. It put ketchup on his steak. Sure, then he wiped it and rebuilt, and manually restored the personal files I'd made him copy to an external drive. No word since then.

This is especially fun now that Windows 8 makes it harder to boot into safe mode to bypass it.

As far as I know the easiest way to get Win 8 into safe mode.1. go to desktop2. Press the "windows" key and "R"3. type msconfig4. choose the boot tab5. check the safe boot check box and choose minimal6. click Ok and you will be prompted to restart

It wasn't but two weeks ago that I cleaned off one of these things from a friend's computer. I was lucky in that the one that bit him wasn't very sophisticated.

But I have to wonder, when there's money changing hands, why can't the federal government trace where the payments are going to and nail the bastards that are doing this. They seem to have the resources to go after a variety of other illegal activity on the internet, so why can't they do anything about this? Or are they and I'm just not aware of it.

The one I cleaned off had references to buying some kind of non-bank payment cards at places like CVS and K-Mart to pay the extortion. I'd bet that if the same financial avenue were being used to hide money transfers for something like drugs, pirated goods, or hookers that they'd be all over it. And as evidenced by the Kim Dotcom incident they don't seem to be too worried about national borders, either. If its between going after Kim Dotcom and these guys I'd prefer them going after these guys. Of course, if they bungled it as bad as the Kim case then the ransom-ware writers would probably wind up becoming sympathetic heroes!